http://bugzilla.opensuse.org/show_bug.cgi?id=1112824 http://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c73 --- Comment #73 from Michiel Janssens <michiel@nexigon.net> --- (In reply to Borislav Petkov from comment #72)
(In reply to Nicolás Luciano Bértolo from comment #70)
I can confirm that those parameters help a lot. But in my tests I couldn't find a difference between 4.19 and 4.20. 4.20 with mitigations enabled is just as bad as 4.19-default.
Well, the mitigations do cost and we've tried to make them as unpunishing as possible. For example, my workstation with 20-rc5 has:
/sys/devices/system/cpu/vulnerabilities/l1tf:Not affected /sys/devices/system/cpu/vulnerabilities/meltdown:Not affected /sys/devices/system/cpu/vulnerabilities/spec_store_bypass:Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/spectre_v1:Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2:Mitigation: Full AMD retpoline, IBPB: conditional, STIBP: disabled, RSB filling
which means that SSB will be enabled only for applications which request it (prctl and seccomp), spectre_v2 is mitigated by retpolines (a lot cheaper than IBRS) and the indirect branch predictor barrier happens when switching between different user processes of which one can be a malicious one.
And this is the default setting.
The whole idea behind having all those cmdline options was for people who don't want to sacrifice performance and would like to disable the security mitigations. So the ultimate decision will be with the user.
In any case, the default case does enable a *sensible* set of the mitigations but they are not for free(!) and depend on the workload.
I hope I'm making sense here.
To me you are making sense, thank you for looking into this. I have the same result as https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c70 However, I also tested kernel-vanilla, from Head and current 4.19.5. Kernel-vanilla gives similar or almost similar result as with mitigations off as you mentioned in https://bugzilla.opensuse.org/show_bug.cgi?id=1112824#c66 But in my understanding kernel-vanilla has all default mitigations on, as running latest spectre-meltdown-checker says my system is not vulnerable. So it seems to me there must be a difference in the kernels. 4.19.5-1-vanilla: /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable /sys/devices/system/cpu/vulnerabilities/meltdown Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/spectre_v1 Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Full generic retpoline, IBPB, IBRS_FW 4.19.5-1-default: /sys/devices/system/cpu/vulnerabilities/l1tf Mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable /sys/devices/system/cpu/vulnerabilities/meltdown Mitigation: PTI /sys/devices/system/cpu/vulnerabilities/spec_store_bypass Mitigation: Speculative Store Bypass disabled via prctl and seccomp /sys/devices/system/cpu/vulnerabilities/spectre_v1 Mitigation: __user pointer sanitization /sys/devices/system/cpu/vulnerabilities/spectre_v2 Mitigation: Indirect Branch Restricted Speculation, IBPB, IBRS_FW Apparently on my Intel system both kernels have different spectre_v2 mitigations. Kernel-default is using IBRS, which as you say is more expensive than retpoline, which is used by kernel-vanilla. -- You are receiving this mail because: You are on the CC list for the bug.